Skip to content

Bump registries to v0.6.0 and gate client with safehttp #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrew merged 1 commit into from
May 13, 2026
Merged

Bump registries to v0.6.0 and gate client with safehttp #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ go 1.25.6
require (
github.com/ecosyste-ms/ecosystems-go v0.1.1
github.com/git-pkgs/purl v0.1.12
github.com/git-pkgs/registries v0.5.1
github.com/git-pkgs/registries v0.6.0
github.com/git-pkgs/vers v0.2.5
)

Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ github.com/git-pkgs/pom v0.1.4 h1:C6st+XSbF75eKuwfdkDZZtYHoTcaWRIEQYar5VtszUo=
github.com/git-pkgs/pom v0.1.4/go.mod h1:ufdMBe1lKzqOeP9IUb9NPZ458xKV8E8NvuyBMxOfwIk=
github.com/git-pkgs/purl v0.1.12 h1:qCskrEU1LWQhCkIVZd992W5++Bsxazvx2Cx1/65qCvU=
github.com/git-pkgs/purl v0.1.12/go.mod h1:ofp4mHsR0cUeVONQaf33n6Wxg2QTEvtUdRfCedI8ouA=
github.com/git-pkgs/registries v0.5.1 h1:UPE42CyZAsOfqO3N5bDelu28wS4Ifx/aOj0XZS4qYeI=
github.com/git-pkgs/registries v0.5.1/go.mod h1:BY0YW+V0WDGBMuDR2aSMR3NzOPFK4K+F3j6+ch+cq3M=
github.com/git-pkgs/registries v0.6.0 h1:ttQC8via9XAoLk9vqysf0K7uWl1bAyHPBWRBavRpAqs=
github.com/git-pkgs/registries v0.6.0/go.mod h1:BY0YW+V0WDGBMuDR2aSMR3NzOPFK4K+F3j6+ch+cq3M=
github.com/git-pkgs/spdx v0.1.3 h1:YQou23mLfzbW//6JlHUuc5x1P5VNIIDSku5gvauf86I=
github.com/git-pkgs/spdx v0.1.3/go.mod h1:4HGGWyC8tg4DjOhrtBTYl4Lu+5i2BFuauGX8zcVcYPg=
github.com/git-pkgs/vers v0.2.5 h1:tDtUMik9Iw1lyPHdT5V6LXjLo9LsJc0xOawURz7ibQU=
Expand Down
6 changes: 5 additions & 1 deletion registries.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/git-pkgs/purl"
"github.com/git-pkgs/registries"
_ "github.com/git-pkgs/registries/all"
"github.com/git-pkgs/registries/client"
"github.com/git-pkgs/vers"
)

Expand All @@ -21,7 +22,10 @@ func NewRegistriesClient() *RegistriesClient {
}

func newRegistriesClient(userAgent string) *RegistriesClient {
c := registries.DefaultClient()
// PURLs may carry an attacker-supplied repository_url qualifier that
// NewFromPURL/BulkFetchPackages will fetch from; gate the client's
// transport so loopback/RFC1918/link-local targets are refused.
c := registries.NewClient(client.WithSafeHTTP())
c.UserAgent = userAgent
return &RegistriesClient{client: c}
}
Expand Down
30 changes: 30 additions & 0 deletions registries_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
package enrichment

import (
"context"
"net/http"
"net/http/httptest"
"net/url"
"sync/atomic"
"testing"
)

func TestRegistriesClientBlocksLoopbackRepositoryURL(t *testing.T) {
var hits int32
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
atomic.AddInt32(&hits, 1)
w.WriteHeader(http.StatusOK)
}))
defer srv.Close()

c := NewRegistriesClient()
purl := "pkg:npm/lodash?repository_url=" + url.QueryEscape(srv.URL)

_, err := c.GetVersions(context.Background(), purl)
if err == nil {
t.Fatalf("expected safehttp to refuse loopback %s, got nil error", srv.URL)
}
if n := atomic.LoadInt32(&hits); n != 0 {
t.Fatalf("loopback server received %d requests; safehttp gate did not block dial", n)
}
}